CVE-2026-57019: An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjac
An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
When a specific packet is received from device in the same broadcast domain, an affected system calculates the packet size incorrectly. This causes further packet processing to fail, which triggers an FPC major error, resulting in a FPC reset impacting traffic until the FPC has automatically recovered.
Affected scenarios are: MAP-T, or non-IP traffic encapsulated in IP (e.g. MPLS over GRE).
When this issue happens the following logs can be observed:
fpc<#> CMError: /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb), scope: pfe, category: functional, severity: major, module: MQSS(0), type: LI: Unroll TAIL length overflow, oc_category: default
fpc<#> Performing action reset-fru for error /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb) in module: MQSS(0) with scope: pfe category: functional level: major, oc_category: default
This issue affects Junos OS on MX Series:
- all versions before 23.2R2-S6,
- 23.4 versions before 23.4R2-S7,
- 24.2 versions before 24.2R2-S4,
- 24.4 versions before 24.4R2-S4,
- 25.2 versions before 25.2R2.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-57019
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-570190.27% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 19% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-57019 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[NEW] [high] Juniper JUNOS and JUNOS Evolved: Multiple vulnerabilitiescert-bund
- unknownJuniper Junos OS Multiple Vulnerabilitieshkcert
- unknownMultiple vulnerabilities in Juniper Networks products (July 09, 2026)cert-fr-avis
Recent advisories for An Improper Validation
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-49844: Improper encoding of non-finite floating-point values during MapMessage JSON serialization in …nvd · 2026-07-10
- mediumCVE-2026-56312: Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation e…nvd · 2026-07-10
- highCVE-2026-40454: Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client. Out-of…nvd · 2026-07-10
- unknownCVE-2026-21057: Improper input validation in Samsung Pass prior to version 5.2.10.3 allows local privileged at…nvd · 2026-07-10
- unknownCVE-2026-21053: Improper input validation in Samsung Email prior to version 6.2.13.1 allows local attackers to…nvd · 2026-07-10
- highCVE-2026-15288: The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to…nvd · 2026-07-10
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11